Fiduciary Duty of Care

The Fiduciary Duty of Care in the context of cybersecurity is a legal obligation, typically placed on a corporation's directors and officers, to act with the level of prudence and diligence that a reasonably careful person would use in similar circumstances to protect the organization's information assets and systems from cyber risks. This duty fundamentally requires those in a fiduciary role to be adequately informed and to use reasonable judgment when overseeing the company's cybersecurity posture.

Core Components and Specific Obligations

The duty of care is not a guarantee against a cyberattack, but rather an obligation to make a good-faith effort and to follow a reasonable process for managing cyber risk. Key expectations for fulfilling this duty in a digital environment include:

Informed Oversight and Knowledge

Fiduciaries must take steps to become and remain reasonably informed about the organization's cybersecurity risks. This involves:

• Understanding the Risk Landscape: Being aware of the most material and evolving cyber threats, such as ransomware, phishing, and supply chain vulnerabilities, that could impact the company's critical assets.

• Acquiring Sufficient Knowledge: Ensuring the board or governing body collectively possesses, or has access to, enough cybersecurity literacy to ask pertinent questions and critically evaluate management's proposals.

• Regular Reporting: Establishing and maintaining an effective, enterprise-wide reporting system to receive timely, accurate, and relevant information from management and the Chief Information Security Officer (CISO) regarding the company's cyber posture and specific "red flags."

Prudent Risk Management and Due Diligence

Fiduciaries must ensure management implements and maintains appropriate cybersecurity measures, demonstrating the same care a prudent person would exercise. This means:

• Implementing a Robust Framework: Overseeing the adoption of a comprehensive, appropriate, and industry-standard cybersecurity framework (e.g., NIST, ISO 27001) that aligns with the organization's risk tolerance and regulatory requirements.

• Resource Allocation: Making informed decisions about resource allocation, ensuring that sufficient financial, personnel, and technical resources are dedicated to cyber risk management, commensurate with the level of risk the company faces.

• Third-Party Oversight: Exercising due diligence in selecting and monitoring third-party vendors and service providers, as their vulnerabilities can create an entry point for an attack against the company's data or systems. This includes contractual requirements for data protection.

Compliance and Monitoring

A crucial part of the duty involves ensuring the organization complies with applicable laws, regulations, and internal policies related to data security.

• Regulatory Compliance: Monitoring compliance with relevant data protection and privacy laws, such as GDPR, CCPA, or HIPAA, which often impose strict security mandates.

• Incident Response Planning: Requiring and approving a detailed and regularly tested incident response plan to ensure the organization can quickly and effectively contain, remediate, and disclose a data breach, minimizing damage.

• Continuous Monitoring: Establishing systems for constant monitoring and periodic audits to ensure the implemented cyber defenses are operating effectively and to detect any "sustained or systematic failure" of oversight.

Legal and Practical Implications

A breach of the fiduciary duty of care in the cybersecurity context typically occurs when directors or officers are found to have engaged in a sustained or systematic failure of oversight, such as a conscious disregard for known risks or a failure to implement necessary reporting systems.

• Shareholder Derivative Suits: If a significant data breach occurs, shareholders may bring a derivative lawsuit, alleging that the directors or officers breached their duty of care by failing to protect corporate assets, resulting in financial harm to the company (e.g., regulatory fines, litigation costs, reputational damage).

• The Business Judgment Rule (BJR): The BJR generally shields directors from liability for honest mistakes or poor business outcomes, provided they acted on an informed basis, in good faith, and in the company's best interest. However, the BJR offers no protection when the breach of duty stems from a complete and sustained failure to institute a reasonable reporting and compliance system to gather the necessary information for oversight.

• Personal Liability: In severe cases of gross negligence or a bad-faith failure to oversee cybersecurity, individual directors and officers may face personal liability for resulting damages.

ThreatNG, an all-in-one external attack surface management (EASM), digital risk protection, and security ratings solution, provides a continuous, attacker-centric perspective to help organizations understand and mitigate their cyber risk. It achieves this through a structured process that covers discovery, assessment, reporting, constant monitoring, investigation, and intelligence use.

External Discovery

ThreatNG performs purely external unauthenticated discovery, meaning it finds assets without needing any internal access or connectors. This mirrors how a real attacker would map an organization's digital footprint.

Example of External Discovery: ThreatNG uses DNS enumeration to identify all associated subdomains for a target organization. This process, coupled with WHOIS intelligence and Certificate Intelligence, can uncover forgotten or unknown assets like dev.oldproject-mycompany.com, which might still have an active, public DNS record pointing to a running server.

External Assessment

ThreatNG delivers detailed assessments through various security ratings (A-F). These scores are based on the product’s external attack surface and digital risk intelligence findings.

Examples of Detailed External Assessment:

• Subdomain Takeover Susceptibility: This assessment first identifies all associated subdomains and uses DNS enumeration to find CNAME records pointing to third-party services, such as a staging subdomain pointing to Heroku or Vercel. It then checks if the CNAME points to an inactive or unclaimed resource on that vendor's platform, confirming a "dangling DNS" state that an attacker could exploit to claim the subdomain and host malicious content.

• BEC & Phishing Susceptibility: The rating for this risk is determined by findings across compromised credentials (Dark Web Presence), domain name permutations (e.g., typos like my-compnay.com that are available or taken), missing DMARC and SPF records from Domain Name Record Analysis, and email format guessability. The presence of an available domain permutation, such as mycompany-login.com, could indicate a high susceptibility to future phishing attacks.

• Cyber Risk Exposure: This score is based on issues like invalid certificates, exposed open cloud buckets (Cloud Exposure), compromised credentials, missing DMARC and SPF records, sensitive code exposure (e.g., exposed code secrets), and subdomain intelligence (e.g., exposed ports, missing security headers like HSTS or Content-Security-Policy). A missing HSTS header for a subdomain is a direct factor in this risk rating.

• Mobile App Exposure: This evaluates the organization's mobile apps by discovering them in marketplaces and scanning their contents for exposed sensitive data. This includes finding Access Credentials (e.g., AWS Access Key ID, Stripe API Key, GitHub Access Token) or Security Credentials (e.g., RSA Private Key) embedded within the app content.

Reporting and Continuous Monitoring

ThreatNG offers continuous monitoring of the external attack surface, digital risk, and security ratings. This ensures risks are identified and addressed as soon as they appear.

For reporting, ThreatNG provides various outputs, including Executive, Technical, and Prioritized reports (High, Medium, Low, and Informational).

Example of ThreatNG Helping: ThreatNG's continuous monitoring detects that a previously secure subdomain now has an Invalid Certificate, which directly impacts the Cyber Risk Exposure rating. This change triggers an Executive Report that highlights the new "A" through "F" security rating and a Prioritized Technical Report detailing the specific invalid certificate issue, providing Reasoning, Recommendations, and Reference links for the security team to use to fix the problem.

Investigation Modules

The Reconnaissance Hub acts as a unified command interface that fuses portfolio-wide threat assessment with granular entity investigation. Its modules allow security teams to drill down into specific areas of risk.

Examples of Detailed Investigation Modules:

• Subdomain Intelligence: This module performs a deep analysis of subdomains. It includes checking HTTP Responses, Header Analysis (like for Content-Security-Policy), and Server Headers for identified technologies. For instance, it can uncover a subdomain with a technology stack that includes an outdated web platform like WordPress and simultaneously find a known vulnerability, which would contribute to a high Breach & Ransomware Susceptibility rating.

• Sensitive Code Exposure: This module discovers public code repositories and scans them for exposed secrets. For example, a search could reveal a GitHub repository with a Configuration File containing a forgotten AWS Secret Access Key.

• Search Engine Exploitation: This module investigates an organization's susceptibility to exposing sensitive information via search engines, such as Public Passwords, Potential Sensitive Information, or Admin Directories. It does this by discovering and analyzing files like Robots.txt and Security.txt.

• Dark Web Presence: This module monitors the dark web for mentions of the organization, associated ransomware incidents, and compromised credentials. A security team could use this to find mentions of a key executive's email address in a Compromised Credentials finding, enabling them to force a password reset and implement multi-factor authentication immediately.

Intelligence Repositories

ThreatNG maintains continuously updated intelligence repositories, branded as DarCache: Data Reconnaissance Cache.

Examples of Intelligence Repositories:

• DarCache Vulnerability: This is a comprehensive repository that includes data from NVD (for technical details and CVSS scores), KEV (for actively exploited vulnerabilities in the wild), EPSS (for the likelihood of future exploitation), and verified Proof-of-Concept (PoC) Exploits. This allows security teams to use the combined data to prioritize patching a vulnerability with a high NVD severity score, confirmation in KEV, and an available PoC exploit, focusing resources on risks that are immediate and proven.

• DarCache Ransomware: This tracks over 70 ransomware gangs, such as LockBit, Akira, and Black Basta, providing intelligence on their activities and tactics to inform the Breach & Ransomware Susceptibility rating.

• DarCache ESG: This repository documents various environmental, social, and governance (ESG Violations) violations, including those related to competition, safety, and employment. This directly contributes to the Brand Damage Susceptibility and ESG Exposure security ratings.

Complementary Solutions

ThreatNG's External Attack Surface Management capabilities generate high-fidelity, external intelligence that can be used effectively with other cybersecurity solutions to improve overall security operations.

• Security Information and Event Management (SIEM) Systems: ThreatNG can feed its external threat intelligence—such as a list of newly discovered Compromised Credentials from the Dark Web Presence module or confirmed phishing domains from the Domain Intelligence module—into a SIEM.

• Example of ThreatNG and Complementary Solutions: ThreatNG detects that a domain permutation, such as mycompany-signup.com, has a mail record and is being used as a phishing site. ThreatNG shares this malicious domain indicator with the SIEM, which then automatically generates a high-priority alert and uses its internal log analysis to identify any users who may have recently clicked on links or entered credentials on that domain, enabling a targeted internal investigation.

• Governance, Risk, and Compliance (GRC) Platforms: The External GRC Assessment feature maps external findings to established frameworks like PCI DSS, HIPAA, GDPR, and NIST CSF. This structured, compliance-based data is valuable for GRC tools.

• Example of ThreatNG and Complementary Solutions: ThreatNG’s assessment uncovers an exposed cloud bucket in an Azure environment that contains sensitive data, which is flagged as a direct violation of a HIPAA control via the External GRC Assessment. This finding is pushed to the organization's GRC platform, automatically updating the risk register for HIPAA compliance and assigning a remediation task to the Cloud Security team.

• Vulnerability Management (VM) Tools: ThreatNG complements internal vulnerability scanners by providing the attacker's view. Its Known Vulnerabilities module uses combined NVD, KEV, EPSS, and PoC Exploits data to prioritize external risks.

  • Example of ThreatNG and Complementary Solutions: ThreatNG identifies a version of an externally facing WordPress instance on a subdomain using its Subdomain Intelligence. It correlates this to a critical, actively exploited (KEV) vulnerability. This prioritized, externally validated vulnerability is then sent to the VM solution, overriding the VM tool's own risk score and immediately escalating the patching requirement for the specific vulnerable asset.